Statistical Anomaly Intrusion Detection System

Transcription

1 Statistical Anomaly Intrusion Detection System -Midterm Project By Sheng Li Presentation Outline What is statistical anomaly IDS? Methods Evaluating Benchmarking Case-studies NIDES, AAFID, JiNao Conclusions and Future Works 11/14/2000 Statistical Anomaly Intrusion Detection System 2

2 Intrusion Detection Techniques Misuse Detection Seeking for matches Known attack recognition only Anomaly Detection Assumption: Deviation Capable to detect new threats Solution in most IDS: Combine the two techniques to achieve higher performance and higher precision 11/14/2000 Statistical Anomaly Intrusion Detection System 3 Types of Threats and SAIDS Threats Attempted break-in: Tempered executables: Denial of service: Leakage: Malicious use: Masquerade attack: High rate of login failure Statistical Symptoms Atypical CPU and I/O activity, frequency of executables rewritten Atypical usage pattern of system resources Atypical use of system resources executed Excessive protection violation, directories browsing Abnormal login time, location, connection type, different types of processes 11/14/2000 Statistical Anomaly Intrusion Detection System 4

3 Event outcomes Benchmarking SAID Determining hits, misses, and false alarms Ground truth Positions and types of test Threshold Level of triggering alarms Scope Range of data the detector takes into account 11/14/2000 Statistical Anomaly Intrusion Detection System 5 Case Studies NIDES (Next-generation Intrusion Detection Expert System) Developed by SRI/CSL lab, concluded in 1995 Provided the most fundamental and developed algorithm models AAFID (Autonomous Agents For Intrusion Detection) Developed by COAST Laboratory at Purdue University Most recent release of AAFID2 in Sep 1999 JiNao Developed jointly by Microelectronics Center of North Carolina (MCNC) and North Carolina State University Most recent modification on June /14/2000 Statistical Anomaly Intrusion Detection System 6

4 NIDES Architecture: Auditing data collected from hosts being monitored NIDES runs on its own station to detect intrusions ID component uses both rule-based analysis and statistical analysis 11/14/2000 Statistical Anomaly Intrusion Detection System 7 NIDES statistical analysis Algorithm Measures- S: S = Φ -1 (1 TPROB/2) T 2 Statistics: T 2 = ( S S S n 2 ) /n Warning flags raised when either S or T 2 is high 11/14/2000 Statistical Anomaly Intrusion Detection System 8

5 AAFID Physical view of a Possible AAFID architecture 11/14/2000 Statistical Anomaly Intrusion Detection System 9 AAFID Architecture (Cont.) C UI Level 0 A Logical view of the same AAFID architecture Level 1 11/14/2000 Statistical Anomaly Intrusion Detection System 10 B D Level 2 E Level 3

6 JiNao OSPF routing protocol Attacks to OSPF Seq++ MaxAge MaxSeq# JiNao s solution: Distributed agents on routers Uses modified NIDES statistical algorithm in anomaly detection 11/14/2000 Statistical Anomaly Intrusion Detection System 11 JiNao Architecture 11/14/2000 Statistical Anomaly Intrusion Detection System 12

7 Conclusion Feature NIDES NiJao IDIP AAFID Real-time v v v v Off-line v v Detection Technique Hybrid Hybrid Hybrid Hybrid Data Collection Centralized Distributed Distributed Distributed Data Process Centralized Centralized Distributed Distributed Decision Making Centralized Centralized Distributed Distributed Intrusion Response - - v - Components Hosts, monitored Hosts Routers Gateways Hosts Reliability Low Medium High High Scalability Low High High High Decision Making Entities Single Single Multiple Multi-leveled 11/14/2000 Statistical Anomaly Intrusion Detection System 13 Future Works Collecting appropriate training data How to prevent being fooled Selecting proper threshold level for warnings, optimum size of scope, etc. 11/14/2000 Statistical Anomaly Intrusion Detection System 14

8 Thank you for attending my presentation! 11/14/2000 Statistical Anomaly Intrusion Detection System 15